Jump to content

rkill \\.\globalroot\Device\svchost.exe\svchost.exe

TheFurnace

By TheFurnace
in Resolved Malware Removal Logs

 Share

Recommended Posts

TheFurnace

TheFurnace

Posted
Posted

Hi. I've run into a variant of a rootkit infection that I've seen on this board earlier. Unfortunately, it has some of the same symptons as others but, not all.

I'm unable to run malwarebytes or OTL or even Process Explorer. The pc in question google redirects almost all the time.

What I've noticed is that the infection changes the security settings of the files used to try to remove it. For example, if you install and run mbam.exe it will run for a very short time and then disappear, the process isn't listed in the task manager. Then when you look at the security tab on the file you see that it's security settings have changed themselves back to "Everybody" with full access. That's deceiving. The file can no longer run.

When you run rkill it always comes back with \\.\globalroot\Device\svchost.exe\svchost.exe as being stopped.

I need to run these tools in safe mode and will do so later this week. Any suggestions?

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Hi and welcome to Malwarebytes.

Download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post DDS.txt directly into your reply.

After you post that, do the following:

  • Download the file TDSSKiller.zip and extract it into a folder on the infected PC.
  • Execute the file TDSSKiller.exe by double-clicking on it.
  • Wait for the scan and disinfection process to be over.
  • When its work is over, the utility prompts for a reboot to complete the disinfection.

By default, the utility outputs runtime log into the system disk root directory (the disk where the operating system is installed, C:\ as a rule).

The log is like UtilityName.Version_Date_Time_log.txt.

for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt.

Please post that log here.

Link to post
Share on other sites
TheFurnace

TheFurnace

Posted
  • Author
Posted

Hi Chris,

I ran the DDS and the TDSSKiller. Here's that log:

2010/11/15 18:38:11.0803 TDSS rootkit removing tool 2.4.7.0 Nov 8 2010 10:52:22

2010/11/15 18:38:11.0803 ================================================================================

2010/11/15 18:38:11.0803 SystemInfo:

2010/11/15 18:38:11.0803

2010/11/15 18:38:11.0803 OS Version: 5.1.2600 ServicePack: 3.0

2010/11/15 18:38:11.0803 Product type: Workstation

2010/11/15 18:38:11.0803 ComputerName: DT-EBRENMAN1

2010/11/15 18:38:11.0803 UserName: ericb

2010/11/15 18:38:11.0803 Windows directory: C:\WINDOWS

2010/11/15 18:38:11.0803 System windows directory: C:\WINDOWS

2010/11/15 18:38:11.0803 Processor architecture: Intel x86

2010/11/15 18:38:11.0803 Number of processors: 2

2010/11/15 18:38:11.0803 Page size: 0x1000

2010/11/15 18:38:11.0803 Boot type: Normal boot

2010/11/15 18:38:11.0803 ================================================================================

2010/11/15 18:38:11.0865 !crdlk

2010/11/15 18:38:11.0896 Initialize success

2010/11/15 18:38:13.0066 ================================================================================

2010/11/15 18:38:13.0066 Scan started

2010/11/15 18:38:13.0066 Mode: Manual;

2010/11/15 18:38:13.0066 ================================================================================

2010/11/15 18:38:13.0253 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS

2010/11/15 18:38:13.0284 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2010/11/15 18:38:13.0316 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2010/11/15 18:38:13.0347 ADIHdAudAddService (0f0a69496989912351284bb1baa2ce57) C:\WINDOWS\system32\drivers\ADIHdAud.sys

2010/11/15 18:38:13.0362 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys

2010/11/15 18:38:13.0394 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2010/11/15 18:38:13.0409 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

2010/11/15 18:38:13.0440 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys

2010/11/15 18:38:13.0456 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys

2010/11/15 18:38:13.0472 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys

2010/11/15 18:38:13.0487 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys

2010/11/15 18:38:13.0503 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys

2010/11/15 18:38:13.0518 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys

2010/11/15 18:38:13.0534 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys

2010/11/15 18:38:13.0550 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys

2010/11/15 18:38:13.0565 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys

2010/11/15 18:38:13.0581 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys

2010/11/15 18:38:13.0596 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys

2010/11/15 18:38:13.0612 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys

2010/11/15 18:38:13.0643 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2010/11/15 18:38:13.0643 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2010/11/15 18:38:13.0659 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2010/11/15 18:38:13.0674 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2010/11/15 18:38:13.0690 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2010/11/15 18:38:13.0705 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys

2010/11/15 18:38:13.0705 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2010/11/15 18:38:13.0721 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys

2010/11/15 18:38:13.0737 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2010/11/15 18:38:13.0737 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2010/11/15 18:38:13.0768 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2010/11/15 18:38:13.0783 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys

2010/11/15 18:38:13.0815 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys

2010/11/15 18:38:13.0846 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys

2010/11/15 18:38:13.0861 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys

2010/11/15 18:38:13.0861 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2010/11/15 18:38:13.0893 DLABMFSM (a0500678a33802d8954153839301d539) C:\WINDOWS\system32\Drivers\DLABMFSM.SYS

2010/11/15 18:38:13.0908 DLABOIOM (b8d2f68cac54d46281399f9092644794) C:\WINDOWS\system32\Drivers\DLABOIOM.SYS

2010/11/15 18:38:13.0908 DLACDBHM (0ee93ab799d1cb4ec90b36f3612fe907) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS

2010/11/15 18:38:13.0908 DLADResM (87413b94ae1fabc117c4e8ae6725134e) C:\WINDOWS\system32\Drivers\DLADResM.SYS

2010/11/15 18:38:13.0924 DLAIFS_M (766a148235be1c0039c974446e4c0edc) C:\WINDOWS\system32\Drivers\DLAIFS_M.SYS

2010/11/15 18:38:13.0924 DLAOPIOM (38267cca177354f1c64450a43a4f7627) C:\WINDOWS\system32\Drivers\DLAOPIOM.SYS

2010/11/15 18:38:13.0939 DLAPoolM (fd363369fd313b46b5aeab1a688b52e9) C:\WINDOWS\system32\Drivers\DLAPoolM.SYS

2010/11/15 18:38:13.0939 DLARTL_M (336ae18f0912ef4fbe5518849e004d74) C:\WINDOWS\system32\Drivers\DLARTL_M.SYS

2010/11/15 18:38:13.0955 DLAUDFAM (fd85f682c1cc2a7ca878c7a448e6d87e) C:\WINDOWS\system32\Drivers\DLAUDFAM.SYS

2010/11/15 18:38:13.0971 DLAUDF_M (af389ce587b6bf5bbdcd6f6abe5eabc0) C:\WINDOWS\system32\Drivers\DLAUDF_M.SYS

2010/11/15 18:38:14.0033 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2010/11/15 18:38:14.0049 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2010/11/15 18:38:14.0049 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2010/11/15 18:38:14.0080 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2010/11/15 18:38:14.0080 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys

2010/11/15 18:38:14.0111 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2010/11/15 18:38:14.0142 DRVMCDB (5d3b71bb2bb0009d65d290e2ef374bd3) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS

2010/11/15 18:38:14.0158 DRVNDDM (c591ba9f96f40a1fd6494dafdcd17185) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS

2010/11/15 18:38:14.0173 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys

2010/11/15 18:38:14.0220 e1express (34aaa3b298a852b3663e6e0d94d12945) C:\WINDOWS\system32\DRIVERS\e1e5132.sys

2010/11/15 18:38:14.0251 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2010/11/15 18:38:14.0283 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

2010/11/15 18:38:14.0298 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2010/11/15 18:38:14.0329 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

2010/11/15 18:38:14.0345 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2010/11/15 18:38:14.0345 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2010/11/15 18:38:14.0361 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2010/11/15 18:38:14.0376 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2010/11/15 18:38:14.0407 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

2010/11/15 18:38:14.0439 HECI (c865d1f6d03595df213dc3c67e4e4c58) C:\WINDOWS\system32\DRIVERS\HECI.sys

2010/11/15 18:38:14.0470 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2010/11/15 18:38:14.0501 hitmanpro35 (30b90793a568281bef70fa57dde305a2) C:\WINDOWS\system32\drivers\hitmanpro35.sys

2010/11/15 18:38:14.0517 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys

2010/11/15 18:38:14.0548 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2010/11/15 18:38:14.0563 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys

2010/11/15 18:38:14.0579 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys

2010/11/15 18:38:14.0579 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2010/11/15 18:38:14.0704 ialm (12c7f8d581c4a9f126f5f8f5683a1c29) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys

2010/11/15 18:38:14.0751 iaStor (e5a0034847537eaee3c00349d5c34c5f) C:\WINDOWS\system32\drivers\iaStor.sys

2010/11/15 18:38:14.0766 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2010/11/15 18:38:14.0782 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys

2010/11/15 18:38:14.0797 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys

2010/11/15 18:38:14.0797 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2010/11/15 18:38:14.0829 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2010/11/15 18:38:14.0860 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2010/11/15 18:38:14.0860 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2010/11/15 18:38:14.0891 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2010/11/15 18:38:14.0907 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2010/11/15 18:38:14.0907 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2010/11/15 18:38:14.0922 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2010/11/15 18:38:14.0938 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2010/11/15 18:38:14.0938 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

2010/11/15 18:38:14.0953 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2010/11/15 18:38:14.0985 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2010/11/15 18:38:15.0016 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2010/11/15 18:38:15.0031 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2010/11/15 18:38:15.0031 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2010/11/15 18:38:15.0047 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2010/11/15 18:38:15.0063 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2010/11/15 18:38:15.0078 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys

2010/11/15 18:38:15.0094 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2010/11/15 18:38:15.0125 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2010/11/15 18:38:15.0141 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2010/11/15 18:38:15.0156 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2010/11/15 18:38:15.0172 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2010/11/15 18:38:15.0172 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2010/11/15 18:38:15.0187 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2010/11/15 18:38:15.0203 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2010/11/15 18:38:15.0203 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2010/11/15 18:38:15.0218 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2010/11/15 18:38:15.0234 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2010/11/15 18:38:15.0250 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2010/11/15 18:38:15.0250 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

2010/11/15 18:38:15.0265 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2010/11/15 18:38:15.0296 NetBT (6944d2c7d400aad8907bd0eca911a9ce) C:\WINDOWS\system32\DRIVERS\netbt.sys

2010/11/15 18:38:15.0296 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\netbt.sys. Real md5: 6944d2c7d400aad8907bd0eca911a9ce, Fake md5: 74b2b2f5bea5e9a3dc021d685551bd3d

2010/11/15 18:38:15.0296 NetBT - detected Forged file (1)

2010/11/15 18:38:15.0312 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2010/11/15 18:38:15.0343 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2010/11/15 18:38:15.0343 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2010/11/15 18:38:15.0406 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

2010/11/15 18:38:15.0437 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2010/11/15 18:38:15.0452 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2010/11/15 18:38:15.0484 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

2010/11/15 18:38:15.0484 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2010/11/15 18:38:15.0499 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2010/11/15 18:38:15.0515 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2010/11/15 18:38:15.0530 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2010/11/15 18:38:15.0546 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

2010/11/15 18:38:15.0593 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys

2010/11/15 18:38:15.0608 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys

2010/11/15 18:38:15.0624 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2010/11/15 18:38:15.0640 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2010/11/15 18:38:15.0640 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2010/11/15 18:38:15.0655 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\Drivers\PxHelp20.sys

2010/11/15 18:38:15.0655 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys

2010/11/15 18:38:15.0671 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys

2010/11/15 18:38:15.0686 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys

2010/11/15 18:38:15.0686 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys

2010/11/15 18:38:15.0702 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys

2010/11/15 18:38:15.0718 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2010/11/15 18:38:15.0718 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2010/11/15 18:38:15.0733 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2010/11/15 18:38:15.0749 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2010/11/15 18:38:15.0749 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2010/11/15 18:38:15.0764 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2010/11/15 18:38:15.0764 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2010/11/15 18:38:15.0796 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2010/11/15 18:38:15.0796 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2010/11/15 18:38:15.0842 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2010/11/15 18:38:15.0874 SenFiltService (b6a6b409fda9d9ebd3aadb838d3d7173) C:\WINDOWS\system32\drivers\Senfilt.sys

2010/11/15 18:38:15.0889 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2010/11/15 18:38:15.0905 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

2010/11/15 18:38:15.0920 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2010/11/15 18:38:15.0967 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys

2010/11/15 18:38:15.0983 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys

2010/11/15 18:38:15.0998 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2010/11/15 18:38:16.0030 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2010/11/15 18:38:16.0061 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys

2010/11/15 18:38:16.0092 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2010/11/15 18:38:16.0108 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2010/11/15 18:38:16.0123 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys

2010/11/15 18:38:16.0139 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys

2010/11/15 18:38:16.0154 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys

2010/11/15 18:38:16.0170 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys

2010/11/15 18:38:16.0186 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2010/11/15 18:38:16.0201 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2010/11/15 18:38:16.0217 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2010/11/15 18:38:16.0232 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2010/11/15 18:38:16.0232 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2010/11/15 18:38:16.0279 tmcomm (eb2283c0a4dfbd2e53d14f2c4d5a1e89) C:\WINDOWS\system32\drivers\tmcomm.sys

2010/11/15 18:38:16.0342 TmFilter (3e615f370f0c7db414b6bcd1c18399d4) C:\Program Files\Trend Micro\Client Server Security Agent\TmXPFlt.sys

2010/11/15 18:38:16.0357 TmPreFilter (c7c7959ec0940e0eddfc881fed8ec214) C:\Program Files\Trend Micro\Client Server Security Agent\TmPreFlt.sys

2010/11/15 18:38:16.0404 TM_CFW (6ebec57eb4b4b29c8a90d3c32a588f3e) C:\Program Files\Trend Micro\Client Server Security Agent\tm_cfw.sys

2010/11/15 18:38:16.0451 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys

2010/11/15 18:38:16.0466 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2010/11/15 18:38:16.0498 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys

2010/11/15 18:38:16.0513 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2010/11/15 18:38:16.0544 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2010/11/15 18:38:16.0544 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2010/11/15 18:38:16.0576 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2010/11/15 18:38:16.0591 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2010/11/15 18:38:16.0591 Suspicious service (NoAccess): vbmacaa8

2010/11/15 18:38:16.0607 vbmacaa8 - detected Locked service (1)

2010/11/15 18:38:16.0607 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2010/11/15 18:38:16.0622 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys

2010/11/15 18:38:16.0638 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys

2010/11/15 18:38:16.0653 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2010/11/15 18:38:16.0685 VSApiNt (60dfbc34228ca36221b03460789f5d4e) C:\Program Files\Trend Micro\Client Server Security Agent\VSApiNt.sys

2010/11/15 18:38:16.0716 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2010/11/15 18:38:16.0747 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys

2010/11/15 18:38:16.0763 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2010/11/15 18:38:16.0872 ================================================================================

2010/11/15 18:38:16.0872 Scan finished

2010/11/15 18:38:16.0872 ================================================================================

2010/11/15 18:38:16.0903 Detected object count: 2

2010/11/15 18:40:34.0601 Forged file(NetBT) - User select action: Skip

2010/11/15 18:40:34.0601 Locked service(vbmacaa8) - User select action: Skip

I attached the attach.zip next.

The TDSSKiller found two possible instances. Either c:\windows\system32\Drivers\netbt.sys (forged) or vbmacaa8.sys. vbmacaa8.sys I can't find on the pc. I've uploaded that log as well. I think netbt.sys is a good file I'm not a sure about vbmacaa8.sys. TDSSkiller never asked me to reboot. It wanted to skip both files.

Attach.zip

TDSSKillerlog.txt

DDS.txt

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted

Hi,

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following quotebox into the main textfield:
    :filefind
    netbt.sys
    vbmacaa8.sys
    loader_107.exe
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites
TheFurnace

TheFurnace

Posted
  • Author
Posted
Hi,

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following quotebox into the main textfield:
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Here's the Systemlook log:

SystemLook 04.09.10 by jpshortstuff

Log created at 12:42 on 17/11/2010 by ericb

Administrator - Elevation successful

========== filefind ==========

Searching for "netbt.sys"

C:\i386\netbt.sys --a---- 162816 bytes [20:30 05/11/2008] [19:21 13/04/2008] 74B2B2F5BEA5E9A3DC021D685551BD3D

C:\WINDOWS\$NtServicePackUninstall$\netbt.sys -----c- 162816 bytes [19:32 05/11/2008] [09:00 04/08/2004] 0C80E410CD2F47134407EE7DD19CC86B

C:\WINDOWS\ServicePackFiles\i386\netbt.sys ------- 162816 bytes [19:21 13/04/2008] [19:21 13/04/2008] 74B2B2F5BEA5E9A3DC021D685551BD3D

C:\WINDOWS\system32\drivers\netbt.sys --a---- 162816 bytes [21:00 11/08/2004] [19:21 13/04/2008] 6944D2C7D400AAD8907BD0ECA911A9CE

Searching for "vbmacaa8.sys"

C:\Program Files\Trend Micro\Client Server Security Agent\SUSPECT\vbmacaa8.sys --a---- 25497 bytes [21:00 11/08/2004] [12:10 09/02/2009] DB1521586CBD112C0088693661E073F9

Searching for "loader_107.exe"

No files found.

-= EOF =-

Link to post
Share on other sites
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.